Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About chris
chris
Motivator
Member since:
03-01-2010
05-06-2021
Community Statistics
| Posts | 408 |
| Solutions | 57 |
| Karma Given | 906 |
| Karma Received | 344 |
| Member Since | 03-01-2010 |
Activity Feed
- Got Karma for Re: How do I concatenate two fields into a string?. 10-31-2024 03:26 AM
- Got Karma for Re: How do I concatenate two fields into a string?. 07-18-2024 07:16 AM
- Got Karma for Re: Finding search strings when all you have is an expired SID. 07-26-2022 05:32 PM
- Got Karma for Re: How do I concatenate two fields into a string?. 07-22-2022 04:27 PM
- Got Karma for Re: How do I concatenate two fields into a string?. 07-13-2022 09:30 AM
- Got Karma for Re: How do I concatenate two fields into a string?. 06-24-2022 01:04 PM
- Got Karma for Re: Index gzipped files without .gz extension. 02-06-2022 10:39 AM
- Got Karma for Re: DNS Lookup via Splunk. 09-10-2021 02:56 AM
- Got Karma for Re: Cannot get to Splunk Web interface. 08-19-2021 05:10 AM
- Got Karma for Re: How do I concatenate two fields into a string?. 05-26-2021 11:26 AM
- Got Karma for Re: DNS Lookup via Splunk. 02-19-2021 06:58 AM
- Got Karma for Re: Improve speed of "append". 11-18-2020 04:49 AM
- Got Karma for Re: Error binding to LDAP. reason="Can't contact LDAP server".. 09-18-2020 04:04 AM
- Karma ldapsearch - Getting objectSid of group members for althomas. 06-05-2020 12:50 AM
- Karma How to display what exactly has been modified in Saved searches/alerts and dashboard? for ahmedbabour. 06-05-2020 12:50 AM
- Karma Re: Renaming Existing Deployment App for nickhills. 06-05-2020 12:50 AM
- Karma How to integrate Microsoft Cloud App security with Splunk for ips_mandar. 06-05-2020 12:50 AM
- Karma Error on maclookup command -- netaddr not found. for nysdanharrison. 06-05-2020 12:50 AM
- Karma Re: Error on maclookup command -- netaddr not found. for MuS. 06-05-2020 12:50 AM
- Karma Re: Error on maclookup command -- netaddr not found. for MuS. 06-05-2020 12:50 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 3 |
05-08-2013
09:45 AM
1 Karma
Have a look at:
http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/SearchTimeModifiers
latest and earliest are your friends
Edit:
Sorry my first answer was a bit short I could/should have given you an example.
Your suggestion works very well, I tend to just use earliest & latest because I can't remember the all the other keywords and if you work with savedsearches (or if you start developing dashboards) you only have the earliest & latest as the delimiters of your time frame
One thing that can be important depending on the search is that the time-modifiers will snap to a time,
-4h@h is not the same as -4h@s. And just to make things a little more complicated the timemodifiers can be chained. A useful trick to find out the span/time window that you are searching when playing with time modifiers is to use the addinfo command. You can then easily calculate your span.
This example will search over a time window of 4h starting 5 minutes in the past:
index=_internal GET earliest=-4h@m-5m latest=-5m@m | addinfo | eval span=(info_max_time-info_min_time)/3600
... View more
05-07-2013
03:32 PM
Hi cphair
I think, the problem ist that you loose the information from your base search when you pipe to localize so there is no host field left for the map command. If you already know which hosts you are looking for in the base search you can reuse them in the map search.
I used sourcetype instead of host in this example:
index=_internal source=*splunkd.log (sourcetype=splunkd OR sourcetype=scheduler) | localize | map search="search index=_internal (sourcetype=splunkd OR sourcetype=scheduler) starttimeu=$starttime$ endtimeu=$endtime$"
You have to decide whether you want to loop over a list of hosts or a list of time ranges with the map command. But maybe I misunderstood your question
... View more
05-07-2013
02:54 PM
1 Karma
You can create an empty dummy lookup where you need it and then use the outputlookup command to populate it.
There is an example in the documentation of the command: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Outputlookup
... View more
05-07-2013
02:48 PM
1 Karma
If record 4 is always the last record/event you are interested in you could try this:
base search | stats last(_raw) by co_relation_id
last(_raw) will give you the entire record/event if there is a specific field you are interested in you can use that instead of _raw
An example using the _internal index of Splunk would be:
index=_internal source="/opt/splunk/var/log/splunk/metrics.log" | stats last(_raw) as myraw by group
If you do not want to display the co_relation_id (group in the example):
index=_internal source="/opt/splunk/var/log/splunk/metrics.log" | stats last(_raw) as myraw by group | fields myraw
... View more
05-07-2013
02:32 PM
2 Karma
Yes if you use the transaction command a field called "eventcount" is added to your results.
It is mentioned in the documentation of the transaction command http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction
... View more
05-07-2013
06:06 AM
1 Karma
The problem was that I had set onunloadCancelJobs="true" in the first line of the view xml:
<view isSticky="False" isVisible="true" onunloadCancelJobs="true" template="dashboard.html">
Setting the value to false fixed/works around the problem
The issue only occurs when using Firefox as the Browser as described in /share/splunk/search_mrsparkle/exposed/js/init.js:
// currently this only works on firefox.
// It could be made to work on IE if we removed SplunkPatchWindowUnload or reworked it somehow.
// and I cannot find a way to get this working on safari.
$(window).unload(function() {
if(Splunk.Globals.Jobber && Splunk.util.normalizeBoolean($(document.body).attr("s:onunloadcanceljobs") || false)){
Splunk.Globals.Jobber.listJobs(function(job){
return (job.canBeAutoCancelled());
}).cancel();
}
$(document).unbind();
$(this).unbind();
});
... View more
05-07-2013
05:56 AM
1 Karma
When I try to redirect to the flashtimeline using the sid in an HTML Module:
<module name="HTML">
<param name="html"><![CDATA[
<a href=flashtimeline?sid=$results.sid$> View Results</a>
]]></param>
</module>
I get errors like theese:
The job appears to have expired or has been canceled. Splunk could not retrieve data for this search.
[SimpleResultsTable module] [HTTP 404] https://127.0.0.1:8089/services/search/jobs/1367928740.698/results?count=10&time_format=%25s.%25Q&output_mode=xml&output_time_format=%25Y-%25m-%25dT%25H%3A%25M%3A%25S.%25Q%25z; [{'code': None, 'text': 'Unknown sid.', 'type': 'FATAL'}]
The job is created in the filesystem and there is no time issue as described in the flashtimeline view:
http://splunk-base.splunk.com/answers/22969/getting-an-error-banner-http-404-textunknown-sidcode-none-type-fatal-when-searching-in-splunk-web-and-no-results
I can even view the job in https:// :8089/services/search/jobs/ as long as I do not click on the link.
As soon as I click on the link something seems to break.
... View more
05-03-2013
03:18 PM
1 Karma
You could setup, a Manager Role that inherits from every AppName_R role. aholzer's suggestion works as well but you can loop through the metadata/default.meta on the filesystem and add the additional role to the read stanza.
... View more
05-03-2013
03:05 PM
Good luck let me know if it does not work/isn't what you wanted
... View more
05-03-2013
03:01 PM
1 Karma
Have a look at the stats command, you could try something like:
sourcetype="AAA_CDR" bob.com Total_Bytes > 0 | convert timeformat="%j" ctime(Event_Time) AS day | stats dc(day) sum(Total_Bytes) by User
... View more
05-02-2013
05:50 AM
Hi,
ist it possible to split events in a file based on a position? I have a file that has fixed width events of 200 chars and would like to index them as single events into Splunk.
Thanks
Chris
... View more
02-14-2013
01:48 AM
Thanks for replying, the indexer queues (SOS) seem to be ok, the 256KBps is not a problem either the forwarder has a thruput close to 0 for most of the time and then from time to time indexes its data(I don't see why it behaves like this). I see a couple of WARN TcpOutputProc - Raw connection to ip= :9997 timed out in splunkd.log of the forwarder. So it might be the network. I opened a case for the issue.
... View more
02-13-2013
08:18 AM
Hi
I have a forwarder on AIX with vresion 4.3.3 that probably has a problem with its parsingqueue
I see the following in metrics.log:
02-13-2013 16:47:50.219 +0100 INFO Metrics - group=queue, name=parsingqueue, max_size_kb=512, current_size_kb=449, current_size=9, largest_size=9, smallest_size=8
02-13-2013 16:48:21.226 +0100 INFO Metrics - group=queue, name=parsingqueue, max_size_kb=512, current_size_kb=449, current_size=9, largest_size=9, smallest_size=9
splunkd.log contains a lot of :
02-13-2013 17:01:37.238 +0100 INFO TailingProcessor - ...continuing.
02-13-2013 17:01:42.241 +0100 INFO TailingProcessor - Could not send data to output queue(parsingQueue), retrying...
Restarting splunk does not change the current_size_kb or current_size values so I tried to increase the queue size following this answer:
http://splunk-base.splunk.com/answers/38218/universal-forwarder-parsingqueue-kb-size
This leads to an increase of max_size_kb and current_size_kb but does not result in the forwarder sending anything to the indexer.
If current_size indicates how many events are in the queue the this number is relatively low.
Is there a way to debug what events are stuck in a queue?
Can I somehow manually force the forwarder to empty the queue and drop the events (I know, that this is ugly)?
Another strange thing is, that once in a while (every cupple of hours) the logs are suddenly indexed, but I did not find any hints in splunkd.log or metrics.log. There is an identical system with the same configuration that works fine. The indexer is not very busy it indexes about 30-40GB a day.
Thanks for your help,
Chris
... View more
01-30-2013
09:33 AM
Ist it possible to make an inline drilldown from an HTML module (using a div/link ..) instead of using a SimpleResultsTable or a Table Module?
The HTML Module is used to emulate single values. When a user clicks on one of the values I would like to have the same behaviour as the "drilldown1_tables" in Sideview Utils (Version 2.3).
<module name="HTML">
<param name="html">
<![CDATA[
<h2>Failed Action X:</h2>
<div class="valueDisplay"><div class="inner"><b>$results[0].count$</b></div></div>
<h2>Failed Action Y:</h2>
<div class="valueDisplay"><div class="inner"><b>$results[1].count$</b></div></div>
]]></param>
<module name="Downstream visualization"></module>
</module>
... View more
01-28-2013
06:03 AM
There is a comercial app that can help:
http://www.prelert.com/products/anomaly-detective-for-splunk.html
You could experiment with the trendline command:
index=_internal earliest=-60m@m | timechart span=10m count(host) as count | trendline sma7(count) | tail 1
... View more
01-26-2013
04:38 AM
You could append a "| where isnotnull(myDataField)" after the timechart command. But the resulting Graph could become difficult to read because the data points are not allways at the same intervall anymore.
... View more
01-25-2013
12:10 PM
You can customise the look & feel of your dashboards by using creating a custom css file. You have a css file for an entire app or a specific view
http://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/UseCSS
To find out which styles you have to set in the css file you can use FireFox with Firebug installed and then right click on the button to see what styles apply to it.
Depending on where your button is it could be something like:
.SplunkModule.Button {
float: right;
}
Good luck
... View more
01-25-2013
11:20 AM
Hi I just had a go at creating the kind of dashboard you wanted to create. The interesting part is at the end. The search i used to get information about the indexes ist:
| rest /services/data/indexes count=0 | chart sum(currentDBSizeMB) by title
You might have to use the splunk_server option if you have a distributed environment and only want to list indexes on specific splunk servers:
| rest /services/data/indexes count=0 splunk_server=myserver | chart sum(currentDBSizeMB) by title
<view stylesheet="dashboard2.css" template="dashboard.html">
<label>Summary</label>
<module name="AccountBar" layoutPanel="appHeader" />
<module name="AppBar" layoutPanel="navigationHeader" />
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="TitleBar" layoutPanel="viewHeader">
<param name="actionsMenuFilter">dashboard</param>
</module>
<module name="SearchBar" layoutPanel="splSearchControls-inline">
<param name="useAssistant">true</param>
<param name="useTypeahead">true</param>
<param name="useOwnSubmitButton">False</param>
<module name="TimeRangePicker">
<param name="selected">All time</param>
<param name="searchWhenChanged">False</param>
<module name="SubmitButton">
<param name="allowSoftSubmit">True</param>
<module name="ViewRedirector" layoutPanel="viewHeader">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
<!--
indexed data panels
-->
<!-- The first list of sources -->
<module name="HiddenSearch" layoutPanel="panel_row2_col1" autoRun="true">
<param name="search">| metadata type=sources | search totalCount>0 | rename totalCount as Count recentTime as "Last Update" | table source Count "Last Update" | fieldformat Count=tostring(Count, "commas") | fieldformat "Last Update"=strftime('Last Update', "%c")</param>
<param name="maxCount">100000</param>
<param name="earliest">rt</param>
<param name="latest">rt</param>
<module name="SimpleResultsHeader">
<param name="entityName">results</param>
<param name="headerFormat">Sources (%(count)s)</param>
<!-- SPL-42701. Add back in later.
<module name="PostProcessFilter">
<param name="prefixSearch">eval _raw=source</param>
-->
<module name="Paginator">
<param name="entityName">results</param>
<param name="maxPages">10</param>
<module name="SimpleResultsTable">
<param name="entityName">results</param>
<param name="drilldown">row</param>
<module name="HiddenSearch">
<param name="search">*</param>
<module name="ConvertToIntention">
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="source">$click.value$</param>
</param>
</param>
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
<param name="uriParam.auto_pause">true</param>
</module>
</module>
</module>
</module>
<!--
SPL-42701. Add back in later.
</module>
-->
</module>
</module>
</module>
<module name="StaticContentSample" layoutPanel="panel_row1_col1" group="All indexed data">
<param name="text">This lists all of the data you have loaded into your default indexes. <a href="/manager/search/adddata"> Add more data</a>.</param>
<param name="groupLabel">All indexed data</param>
</module>
<!-- The list of sourcetypes AND the top panel -->
<module name="HiddenSearch" layoutPanel="panel_row3_col1" autoRun="true">
<param name="search">| metadata type=sourcetypes | search totalCount>0 | rename totalCount as Count recentTime as "Last Update"</param>
<param name="maxCount">100000</param>
<param name="earliest">rt</param>
<param name="latest">rt</param>
<module name="HiddenPostProcess" layoutPanel="panel_row1_col1">
<param name="search">| stats sum(Count)</param>
<module name="SingleValue">
<param name="beforeLabel">Events indexed</param>
<param name="format">number</param>
</module>
</module>
<module name="HiddenPostProcess" layoutPanel="panel_row1_col1">
<param name="search">| stats min(firstTime) as min | eval min=strftime(min,"%c")</param>
<module name="SingleValue">
<param name="beforeLabel">Earliest event</param>
<param name="format">string</param>
</module>
</module>
<module name="HiddenPostProcess" layoutPanel="panel_row1_col1">
<param name="search">| stats max(lastTime) as max | eval max=strftime(max,"%c")</param>
<module name="SingleValue">
<param name="beforeLabel">Latest event</param>
<param name="format">string</param>
</module>
</module>
<module name="HiddenPostProcess" layoutPanel="panel_row3_col1">
<param name="search">table sourcetype Count "Last Update" | fieldformat Count=tostring(Count, "commas") | fieldformat "Last Update"=strftime('Last Update', "%c")</param>
<module name="SimpleResultsHeader">
<param name="entityName">results</param>
<param name="headerFormat">Source types (%(count)s)</param>
<module name="Paginator">
<param name="entityName">results</param>
<param name="maxPages">10</param>
<module name="SimpleResultsTable">
<param name="entityName">results</param>
<param name="drilldown">row</param>
<module name="HiddenSearch">
<param name="search">*</param>
<module name="ConvertToIntention">
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="sourcetype">$click.value$</param>
</param>
</param>
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
<param name="uriParam.auto_pause">true</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
<!-- The list of hosts -->
<module name="HiddenSearch" layoutPanel="panel_row3_col2" autoRun="true">
<param name="search">| metadata type=hosts | search totalCount>0 | rename totalCount as Count recentTime as "Last Update" | table host Count "Last Update" | fieldformat Count=tostring(Count, "commas") | fieldformat "Last Update"=strftime('Last Update', "%c")</param>
<param name="maxCount">100000</param>
<param name="earliest">rt</param>
<param name="latest">rt</param>
<module name="SimpleResultsHeader">
<param name="entityName">results</param>
<param name="headerFormat">Hosts (%(count)s)</param>
<module name="Paginator">
<param name="entityName">results</param>
<param name="maxPages">10</param>
<module name="SimpleResultsTable">
<param name="entityName">results</param>
<param name="drilldown">row</param>
<module name="HiddenSearch">
<param name="search">*</param>
<module name="ConvertToIntention">
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="host">$click.value$</param>
</param>
</param>
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
<param name="uriParam.auto_pause">true</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
<module name="HiddenSearch" layoutPanel="panel_row1_col2" autoRun="true">
<param name="latest">now</param>
<param name="earliest">-15m</param>
<param name="search"><![CDATA[
| rest /services/data/indexes count=0 | chart sum(currentDBSizeMB) by title
]]></param>
<module name="HiddenChartFormatter">
<param name="chart">pie</param>
<param name="chartTitle">Index Sizes</param>
<module name="JSChart" />
</module>
<module name="SimpleResultsHeader">
<param name="entityName">results</param>
<param name="headerFormat">Indexes (%(count)s)</param>
<module name="Paginator">
<param name="entityName">results</param>
<module name="SimpleResultsTable" />
</module>
</module>
</module>
</view>
... View more
01-25-2013
10:41 AM
I'm assuming you're talking about this view at
http://yourserver/en-US/manager/search/data/ui/views:
The view/dashboard is in:
$SPLUNK_HOME/etc/apps/search/default/data/ui/views/dashboard_live.xml
You can go to the manager in the search app click "User Interface" and then "Views" there you see the dashboard_live you can clone it or edit it directly
... View more
01-25-2013
10:28 AM
1 Karma
This is doable got to the Manager click on "User Interface" and the views in your app for every view you can set the permissions for the roles you have in Splunk. You can create your own roles and assign the users to those roles.
There is some info here
http://docs.splunk.com/Documentation/Splunk/latest/Security/Addandeditroles
But I think you should be fine be just copying the default user or power roles and assign the users accordingly
... View more
01-25-2013
10:18 AM
1 Karma
1.) No, Splunk can be installed on Windows. 2.) You can monitor the Windows Event log, if you want to Monitor a directory with files there are possibilities. 3.) Is easy if the ticketsystem writes log messages. There is an a Splunk App for Windows (http://splunk-base.splunk.com/apps/22315/splunk-app-for-windows) and a so calle technology add on which might be more interesting (http://splunk-base.splunk.com/apps/28933/splunk-for-windows-technology-add-on). 16-18h sounds like it is doable write me an email: sinloft@gmail.com and we can work things out.
... View more
01-25-2013
04:39 AM
I guess there are different ways to solve this depending on what you mean by analyzing the interface & connection.
You could just check /var/log/messages or /var/log/syslog (on a Unix System) for events that indicate that an interface came up or went down and write a search to detect the situation and assume, that if the Interface is ok the connection is ok:
Jan 25 13:10:02 host kernel: [2149765.760464] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
Jan 25 13:10:02 host kernel: [2149765.761220] ADDRCONF(NETDEV_UP): eth0: link is not ready
Jan 25 13:10:02 host kernel: [2149765.761235] ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
You could also write a script and set up a scripted input that verifies the connection ( using ping or telnet/nc or maybe wget for an http connection) and the creata a scripted input (easier) or a modular input:
http://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ScriptSetup
http://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ModInputsIntro
Or maybe the ticketing software will write error messages if there is a connection problem and you can use that information (or you could use all 3 methods)
This app (or the windows pendant) are a good starting point there is a Dashboard called "Connection Details" that will populate if the app is configured correctly:
http://splunk-base.splunk.com/apps/22314/splunk-for-unix-and-linux
-> It is also a good example to see how scripted inputs work (see the inputs.conf file and check the bin directory withi its shell scripts).
Is this the info you were looking for?
Chris
... View more
01-24-2013
11:05 PM
Hm, correct me if I am wrong, but defining a defaultgroup, if it is just done once, should in this case apply for the entire forwarder that receives the app through the deployment server. The defaultgroup is then implicitly applied to all inputs. So a forwarder in City A will forward all its inputs to the indexers in City A. You can check the current config with "/opt/splunkforwarder/bin/splunk btool outputs list" but you probably already knew that.
... View more
